--On Friday, 17 August, 2007 16:18 -0700 SM <sm@xxxxxxxxxxxx>
wrote:
>...
>> message and not the transport. If the primary concern is
>> communications between a financial institution with which the
>> user already has an account (or equivalent relationship) and
>> that user, we don't even have the usual PKI problems: one can
>> deliver a sender key or cert out of band, validate it, and be
>> finished.
>
> There are ways to validate the sender the first time you
> establish a contact. Once that is done, you can use it to
> validate future communication you receive from that
> correspondent.
Sure. As long as we all understand that there are tradeoffs
associated with each of these. End-to-end signatures require
that both sender and recipient be able to manage keys (directly
or indirectly), but do not depend on every actor in the
transport chain being trustworthy, trusted, and willing to play.
Used carefully, they are also insensitive to forwarding,
resending, and mid-transport rerouting.
Hop-by-hop transport-based solutions appear to be easier to
deploy --although there are some concerns about transitivity of
trust relationships and the ability of large mail providers to
force the smaller ones out, among other things-- and they
generally work much better when there is a direct connection
between the originating MSA and the final deliver MTA than when
relays are involved. But they also tend to restrict services
somewhat.
For example, there is a long, and IMO desirable, history of
people setting up "stable addresses" via a friend or institution
-- addresses that can remain constant even though the actual
mail address and mail store provided by a vendor or ISP may
change over time. This reduces ISP or mail-provider lock-in and
seems like a good idea to many people. However, suppose the
user Joe Blogs, maintains a permanent address at
Joe.Blogs@xxxxxxxxxxxxxxxxxxxxx and has, this month, a mailbox
at joebloggs123@xxxxxxxxxx Similarly J. Random Member has a
permanent mailbox at j.random.member@xxxxxxx but a mail account
at jrm@xxxxxxxxxxxxxxxxxxxxxxx While some workarounds are
possible, it is not obvious mail is sent from
j.random.member@xxxxxxx to Joe.Bloggs@xxxxxxxxxxxxxxxxxxxxx
given that the message originates from the domain and address
space of postoffice.example.net, but that administration doesn't
know about, or have any relationship to, acm.org and hooya.com
doesn't have any information about routings via
forwarder.example.com. Maybe we have to give that up --and
give in to the desire of those who run the large email services
to advertise themselves and lock users in -- but, from my point
of view, the techniques better have very high leverage on spam
and criminal enterprises in order to justify that. Otherwise,
we just reduce the capabilities and attractiveness of the mail
system and increase the burdens on legitimate senders and
receivers without accomplishing much. And, to me, that feels a
bit too much like just helping the bad guys win.
john
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf